security/acme-client: Auto Renewal of ECC certificate fails

[maurice-w]

[+] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
[+] I have searched the existing issues and I'm convinced that mine is new.
[+] The title contains the plugin to which this issue belongs

Describe the bug
I have two ECC certificates. One of them can be renewed without issues using either Auto Renewal, the 'Issue/Renew Certificates Now’ button or the 'Issue/Renew' button in the Commands column.
The other one can only be renewed using the 'Issue/Renew' button in the Commands column. Auto Renewal as well as the 'Issue/Renew Certificates Now’ button fail with this error message:

The domain 'example.com' seems to have a ECC cert already, please add '--ecc' parameter if you want to use that cert.

The only significant difference seems to be that the one which fails to auto renew has 'OCSP Must Staple' enabled.
Does this seem plausible?

To Reproduce
See bug description.

Additional context
Forum thread: https://forum.opnsense.org/index.php?topic=21085.0

Environment
OPNsense 21.1.r_96 (amd64, OpenSSL).
os-acme-client-devel 2.3

[fraenki]

Auto Renewal as well as the 'Issue/Renew Certificates Now’ button fail with this error message:

@maurice-w I need some more information to understand what's happening here. Please enable debug logging in Services: Let's Encrypt: Settings. Once a new attempt was made to run auto renewal for this cert, please provide the log entries from System: Log Files: General (search for "AcmeClient"). It should include the full list of acme.sh command line arguments.

Additionally a screenshot of the cert config (Services: Let's Encrypt: Certificates) may be useful.
(Feel free to obfuscate sensitive information.)

[fraenki]

OK, I think this is fixed in 3e72b0f.
@maurice-w You may give it a try:

opnsense-patch -c plugins 3e72b0f5b7d9d10a62e1d29e5887abce1e9d8ef2

[maurice-w]

Thanks @fraenki, I applied the patch and we'll see what happens!

After a deep dive into the logs and config history, I now think that this issue affects all ECC certificates, is unrelated to OCSP Must Staple and was introduced with os-acme-client 2.x. Looking at your fix this seems plausible, would you agree?

The last successful auto renewal of both certificates was on 2020-11-11, a few days before the release of 2.0. At the next auto renewal on 2021-01-11, one certificate renewed while the other one failed with the ecc parameter error. Well, so I thought. Turns out the certificate which seemed to renew actually didn't. This originally was an RSA certificate which was later switched to ECC. It has since been renewed successfully multiple times. But /var/etc/acme-client/home still had a directory with the old RSA certificate (in addition to the current _ecc directory). The auto renewal on 2021-01-11 only "succeeded" because of this leftover RSA certificate with the same name. This was renewed instead of the actual ECC certificate.

(/var/etc/acme-client/home also had many certificates which have long been deleted in the GUI. Might it be a good idea to clean this up when a certificate gets removed?)

[fraenki]

Looking at your fix this seems plausible, would you agree?

I fully agree. The bug caused all ECC cert renewals to fail.

Might it be a good idea to clean this up when a certificate gets removed?

Yes, we were not doing any cleanups for a pretty long time. os-acme-client version 1.25 added a removal feature, but it does not cleanup older certificate data. All "new" removals should not leave any traces anymore. (Well, there is one notable exception: the Let's Encrypt plugin will never remove a certificate from System: Trust: Certificates.)

[fraenki]

The fix will be released in os-acme-client 2.4.